<Directory /path/to/media> Options +Indexes Order Deny,Allow Allow from all Satisfy all <Files index.html> [authorization directives] </Files> </Directory>
Depending on how your authentication mechanism works, you may also have to add a RewriteRule directive to deal with an explicit request for index.html:
RewriteRule ^/url/to/media/(.*/)?index.html$ /url/to/media/$1 [R,L]
In my case, using Shibboleth and mod_shib, authentication takes place on an external site and then redirects the client back. I’m guessing that because mod_dir is internally rewriting the URL from */ to */index.html, mod_shib is not handed the “original” URL (with just the trailing slash), but the DirectoryIndex URL.